[jira] [Commented] (HADOOP-19612) Add Support for Propagating Access Token via RPC Header in HDFS

ASF GitHub Bot (Jira) Fri, 01 Aug 2025 18:42:05 -0700


    [ 
https://issues.apache.org/jira/browse/HADOOP-19612?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=18011520#comment-18011520
 ]


ASF GitHub Bot commented on HADOOP-19612:
-----------------------------------------

hadoop-yetus commented on PR #7844:
URL: https://github.com/apache/hadoop/pull/7844#issuecomment-3146104159

   :broken_heart: **-1 overall**
   
   
   
   
   
   
   | Vote | Subsystem | Runtime |  Logfile | Comment |
   |:----:|----------:|--------:|:--------:|:-------:|
   | +0 :ok: |  reexec  |   0m 47s |  |  Docker mode activated.  |
   |||| _ Prechecks _ |
   | +1 :green_heart: |  dupname  |   0m  0s |  |  No case conflicting files 
found.  |
   | +0 :ok: |  codespell  |   0m  0s |  |  codespell was not available.  |
   | +0 :ok: |  detsecrets  |   0m  0s |  |  detect-secrets was not available.  
|
   | +0 :ok: |  buf  |   0m  0s |  |  buf was not available.  |
   | +0 :ok: |  buf  |   0m  0s |  |  buf was not available.  |
   | +1 :green_heart: |  @author  |   0m  0s |  |  The patch does not contain 
any @author tags.  |
   | +1 :green_heart: |  test4tests  |   0m  0s |  |  The patch appears to 
include 2 new or modified test files.  |
   |||| _ branch-3.3 Compile Tests _ |
   | +0 :ok: |  mvndep  |  16m 19s |  |  Maven dependency ordering for branch  |
   | +1 :green_heart: |  mvninstall  |  38m 27s |  |  branch-3.3 passed  |
   | +1 :green_heart: |  compile  |  19m  4s |  |  branch-3.3 passed  |
   | +1 :green_heart: |  checkstyle  |   2m 59s |  |  branch-3.3 passed  |
   | +1 :green_heart: |  mvnsite  |   3m 10s |  |  branch-3.3 passed  |
   | +1 :green_heart: |  javadoc  |   2m 34s |  |  branch-3.3 passed  |
   | +1 :green_heart: |  spotbugs  |   5m 54s |  |  branch-3.3 passed  |
   | +1 :green_heart: |  shadedclient  |  41m 29s |  |  branch has no errors 
when building and testing our client artifacts.  |
   |||| _ Patch Compile Tests _ |
   | +0 :ok: |  mvndep  |   0m 33s |  |  Maven dependency ordering for patch  |
   | +1 :green_heart: |  mvninstall  |   2m 12s |  |  the patch passed  |
   | +1 :green_heart: |  compile  |  20m 15s |  |  the patch passed  |
   | +1 :green_heart: |  cc  |  20m 15s |  |  the patch passed  |
   | +1 :green_heart: |  javac  |  20m 15s |  |  the patch passed  |
   | +1 :green_heart: |  blanks  |   0m  0s |  |  The patch has no blanks 
issues.  |
   | -0 :warning: |  checkstyle  |   3m 11s | 
[/results-checkstyle-root.txt](https://ci-hadoop.apache.org/job/hadoop-multibranch/job/PR-7844/4/artifact/out/results-checkstyle-root.txt)
 |  root: The patch generated 14 new + 171 unchanged - 0 fixed = 185 total (was 
171)  |
   | +1 :green_heart: |  mvnsite  |   3m 42s |  |  the patch passed  |
   | +1 :green_heart: |  javadoc  |   2m 48s |  |  the patch passed  |
   | +1 :green_heart: |  spotbugs  |   6m 45s |  |  the patch passed  |
   | +1 :green_heart: |  shadedclient  |  41m 52s |  |  patch has no errors 
when building and testing our client artifacts.  |
   |||| _ Other Tests _ |
   | +1 :green_heart: |  unit  |  17m 56s |  |  hadoop-common in the patch 
passed.  |
   | -1 :x: |  unit  | 231m 11s | 
[/patch-unit-hadoop-hdfs-project_hadoop-hdfs.txt](https://ci-hadoop.apache.org/job/hadoop-multibranch/job/PR-7844/4/artifact/out/patch-unit-hadoop-hdfs-project_hadoop-hdfs.txt)
 |  hadoop-hdfs in the patch passed.  |
   | +1 :green_heart: |  asflicense  |   1m 12s |  |  The patch does not 
generate ASF License warnings.  |
   |  |   | 461m 45s |  |  |
   
   
   | Reason | Tests |
   |-------:|:------|
   | Failed junit tests | hadoop.hdfs.server.datanode.TestLargeBlockReport |
   |   | hadoop.hdfs.protocol.TestBlockListAsLongs |
   |   | hadoop.hdfs.server.namenode.TestNameNodeMXBean |
   |   | hadoop.hdfs.server.balancer.TestBalancerWithHANameNodes |
   
   
   | Subsystem | Report/Notes |
   |----------:|:-------------|
   | Docker | ClientAPI=1.51 ServerAPI=1.51 base: 
https://ci-hadoop.apache.org/job/hadoop-multibranch/job/PR-7844/4/artifact/out/Dockerfile
 |
   | GITHUB PR | https://github.com/apache/hadoop/pull/7844 |
   | Optional Tests | dupname asflicense compile javac javadoc mvninstall 
mvnsite unit shadedclient spotbugs checkstyle codespell detsecrets cc buflint 
bufcompat |
   | uname | Linux d6e8e0e0322d 5.15.0-143-generic #153-Ubuntu SMP Fri Jun 13 
19:10:45 UTC 2025 x86_64 x86_64 x86_64 GNU/Linux |
   | Build tool | maven |
   | Personality | dev-support/bin/hadoop.sh |
   | git revision | branch-3.3 / d76997ac6286f87516be573788d8b2fe9489f0dd |
   | Default Java | Private Build-1.8.0_362-8u372-ga~us1-0ubuntu1~18.04-b09 |
   |  Test Results | 
https://ci-hadoop.apache.org/job/hadoop-multibranch/job/PR-7844/4/testReport/ |
   | Max. process+thread count | 3138 (vs. ulimit of 5500) |
   | modules | C: hadoop-common-project/hadoop-common 
hadoop-hdfs-project/hadoop-hdfs U: . |
   | Console output | 
https://ci-hadoop.apache.org/job/hadoop-multibranch/job/PR-7844/4/console |
   | versions | git=2.17.1 maven=3.6.0 spotbugs=4.2.2 |
   | Powered by | Apache Yetus 0.14.0 https://yetus.apache.org |
   
   
   This message was automatically generated.
   
   




> Add Support for Propagating Access Token via RPC Header in HDFS
> ---------------------------------------------------------------
>
>                 Key: HADOOP-19612
>                 URL: https://issues.apache.org/jira/browse/HADOOP-19612
>             Project: Hadoop Common
>          Issue Type: New Feature
>          Components: hadoop-common
>            Reporter: Tom McCormick
>            Assignee: Tom McCormick
>            Priority: Major
>              Labels: pull-request-available
>             Fix For: 3.5.0
>
>
> *Description:*
> To support modern authentication models (e.g., bearer tokens, OAuth2), we 
> propose adding support in HDFS to propagate an access token via the RPC 
> request header. This enables downstream services (e.g., NameNode, Router) to 
> validate access tokens in a secure and standardized way.
> The token will be passed in a dedicated field in the 
> {{{}RpcRequestHeaderProto{}}}, mimicking the behavior of an HTTP 
> {{Authorization: Bearer <token>}} header. The caller context or UGI may 
> extract this token and use it for authorization decisions or auditing.
> *Benefits:*
>  * Enables secure, token-based authentication in multi-tenant environments
>  * Lays the foundation for fine-grained, per-request authorization
> *Scope:*
>  * Add optional {{authorization_token}} field to RPC header
>  * Ensure token is thread-local or caller-context scoped
>  * Wire it through relevant client and server code paths
>  * Provide configuration to enable/disable this feature
> *Notes:*
> This feature is intended to be backward-compatible with existing HDFS 
> clients. If the token is not set, behavior will remain unchanged.
> At Linkedin, we plan to delegate auth to a custom enforcement point in RBF. 
> The workflow is the client will get an access token and pass that in the RPC. 
> The request and access token will be authorized in the custom authorizer. 
>  
>  
> *PR*
> [https://github.com/apache/hadoop/pull/7803/files#diff-55740268215623b4037dd1bd35200c383576bee23d444096eb9cee751e3728f3]
>  



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

---------------------------------------------------------------------
To unsubscribe, e-mail: common-issues-unsubscr...@hadoop.apache.org
For additional commands, e-mail: common-issues-h...@hadoop.apache.org

[jira] [Commented] (HADOOP-19612) Add Support for Propagating Access Token via RPC Header in HDFS

Reply via email to